@vizzly-testing/honeydiff
Supply chain provenance
Status for the latest visible version.
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
Keywords
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| npm-metadata | bundled-binaries | AI (npm-metadata): Neon/Rust native binding; platform .node files are the expected prebuilt binary distribution mechanism. | ai | |
| semgrep | semgrep:dynamic-require | AI (semgrep): Dynamic require resolves platform-specific prebuilt .node path; not arbitrary user input. | ai |
v0.10.3
2 findingsPackage contains compiled binaries that could be backdoors: • platforms/index-aarch64-apple-darwin.node • platforms/index-aarch64-unknown-linux-gnu.node • platforms/index-x86_64-pc-windows-msvc.node • platforms/index-x86_64-unknown-linux-gnu.node
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.
v0.10.2
2 findingsPackage contains compiled binaries that could be backdoors: • platforms/index-aarch64-apple-darwin.node • platforms/index-aarch64-unknown-linux-gnu.node • platforms/index-x86_64-pc-windows-msvc.node • platforms/index-x86_64-unknown-linux-gnu.node
Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.